Publicly Accessible Cluster Endpoints

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: Medium (should be achieved)
Rule ID: EKS-001

Ensure that your Amazon EKS cluster's Kubernetes API server endpoint is not publicly accessible from the Internet in order to avoid exposing private data and minimizing security risks. The level of access to your Kubernetes API server endpoints depends on your EKS application use cases, however, for most use cases Cloud Conformity recommends that the API server endpoints should be accessible only from within your AWS Virtual Private Cloud (VPC).

This rule can help you with the following compliance standards:

This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS

Security

During each cluster launch, Amazon EKS creates an endpoint for the managed Kubernetes API server that you can use to communicate with your newly created cluster. By default, this API server endpoint, managed by AWS EKS, can be accessed directly, outside of a Virtual Private Cloud (VPC), therefore every machine on the Internet can reach your EKS cluster through its public endpoint and this can increase the opportunity for malicious activities and attacks. To follow security best practices, you can completely disable public access to your API server endpoint so that it's not accessible anymore from the Internet.


Audit

To determine if your AWS EKS cluster endpoints are publicly accessible, perform the following actions:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to Amazon EKS dashboard at https://console.aws.amazon.com/eks/.

03 In the left navigation panel, under Amazon EKS, select Clusters.

04 Click on the name of the EKS cluster that you want to examine to access the resource configuration settings.

05 On the selected cluster settings page, within the Networking section, check the API server endpoint access configuration attributes. If the Public access attribute value is set to Enabled and the Private access attribute value is set to Disabled, the selected Amazon EKS cluster API server endpoint is publicly accessible and prone to security risks.

06 Repeat step no. 4 and 5 to determine the Kubernetes API server endpoint access configuration for other AWS EKS clusters available within the current region.

07 Change the AWS region from the navigation bar and repeat the process for other regions.

Using AWS CLI

01 Run list-clusters command (OSX/Linux/UNIX) using custom query filters to list the names of all AWS EKS clusters available in the selected region:

aws eks list-clusters
	--region us-east-1
	--output table
	--query 'clusters'

02 The command output should return a table with the requested EKS cluster identifiers:

-------------------------
|     ListClusters      |
+-----------------------+
|  cc-eks-mobile-app    |
|  cc-eks-kube-stack    |
+-----------------------+ 

03 Run describe-cluster command (OSX/Linux/UNIX) using the name of the EKS cluster that you want to examine as identifier parameter and custom query filters to describe the Kubernetes API server endpoint access configuration for the selected Amazon EKS resource:

aws eks describe-cluster
	--region us-east-1
	--name cc-eks-mobile-app
	--query 'cluster.resourcesVpcConfig.{endpointPrivateAccess: endpointPrivateAccess, endpointPublicAccess: endpointPublicAccess}'  

04 The command output should return the requested endpoint access configuration metadata:

{
    "endpointPrivateAccess": false,
    "endpointPublicAccess": true
}

If "endpointPrivateAccess" configuration attribute is set to false and the "endpointPublicAccess" attribute is set to true, as shown in the output example above, the selected Amazon EKS cluster's Kubernetes API server endpoint is publicly accessible to the Internet.

05 Repeat step no. 3 and 4 to verify the Kubernetes API server endpoint access configuration for other Amazon EKS clusters available in the selected region.

06 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 5 to perform the audit process for other regions.

Remediation / Resolution

To reconfigure the visibility of your EKS cluster API server endpoints to the Internet in order to disable public accessibility, perform the following actions:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to Amazon EKS dashboard at https://console.aws.amazon.com/eks/.

03 In the left navigation panel, under Amazon EKS, select Clusters.

04 Click on the name of the EKS cluster that you want to reconfigure (see Audit section part I to identify the right EKS resource).

05 On the selected EKS cluster configuration page, click the Update button available in the Networking section to update the API server endpoint access configuration for the selected cluster.

06 On the Update API server endpoint access page, in the Networking section, perform the following:

  1. For Private access, select Enabled to enable private access for your cluster's Kubernetes API server endpoint. Once private access is enabled, Kubernetes API requests that originate from within your cluster's VPC use the private VPC endpoint.
  2. For Public access, select Disabled to disable public access for your cluster's Kubernetes API server endpoint. When public access is disabled, your cluster's Kubernetes API server endpoint can only receive requests from within the EKS cluster VPC. This configuration setting is mandatory in order to disable public access.
  3. Click UPDATE to apply the changes.

07 Repeat steps no. 4 – 6 to disable API server endpoint public access for other Amazon EKS clusters available in the current region.

08 Change the AWS region from the navigation bar and repeat the process for other regions.

Using AWS CLI

01 Run update-cluster-config command (OSX/Linux/UNIX) using the name of the EKS cluster that you want to reconfigure as identifier parameter (see Audit section part II to identify the right resource), to disable public access for the selected EKS cluster Kubernetes API server endpoint and enable private access so that the API server can be accessed only from within your Virtual Private Cloud (VPC):

aws eks update-cluster-config
	--region us-east-1
	--name cc-eks-mobile-app
	--resources-vpc-config endpointPublicAccess=false,endpointPrivateAccess=true

02 The command output should return the new configuration metadata available for the API server endpoint access configuration:

{
    "update": {
        "status": "InProgress",
        "errors": [],
        "params": [
            {
                "type": "EndpointPublicAccess",
                "value": "false"
            },
            {
                "type": "EndpointPrivateAccess",
                "value": "true"
            }
        ],
        "type": "EndpointAccessUpdate",
        "id": "abcd1234-abcd-abcd-abcd-1234abcd1234",
        "createdAt": 1567587198.448
    }
}

03 Run describe-update command (OSX/Linux/UNIX) using the EKS cluster name and the update ID returned at the previous step as identifier parameters to confirm the configuration changes performed at the previous step. The EKS cluster API server endpoint access configuration update is complete when the status is set to "Successful":

aws eks describe-update
	--region us-east-1
	--name cc-eks-mobile-app
	--update-id abcd1234-abcd-abcd-abcd-1234abcd1234
	--query 'update.status'

04 The command output should return the requested update status:

"Successful"

05 Repeat steps no. 1 – 4 to disable API server endpoint public access for other Amazon EKS clusters available within the selected region.

06 Change the AWS region by updating the --region command parameter value and repeat the entire process for other regions.

References

Publication date Sep 11, 2019

Unlock the Remediation Steps


Gain free unlimited access
to our full Knowledge Base


Over 750 rules & best practices
for AWS and Azure

You are auditing:

Publicly Accessible Cluster Endpoints

Risk level: Medium